b"    February 23, 2006\n\n\n\n\nInformation Technology\nManagement\nDoD Organization Information\nAssurance Management of\nInformation Technology Goods and\nServices Acquired Through\nInteragency Agreements\n(D-2006-052)\n\n\n\n\n             Department of Defense\n            Office of Inspector General\n Quality                Integrity     Accountability\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Department of\n  Defense Inspector General at http://www.dodig.mil/audit/reports or contact the\n  Secondary Reports Distribution Unit, Audit Followup and Technical Support at\n  (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact Audit Followup and\n  Technical Support at (703) 604-8940 (DSN 664-8940) or fax (703) 604-8932.\n  Ideas and requests can also be mailed to:\n\n                    ODIG-AUD (ATTN: AFTS Audit Suggestions)\n                      Department of Defense Inspector General\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-4704\n\n\n\n\nAcronyms\nAEFC                  Air and Space Expeditionary Force Center\nCIO                   Chief Information Officer\nDoD IG                Department of Defense Inspector General\nESA                   Enterprise Service Activity\nCOR                   Contracting Officer\xe2\x80\x99s Representative\nGAO                   Government Accountability Office\nIA                    Information Assurance\nIT                    Information Technology\nJPAS                  Joint Personnel Adjudication System\nMIPR                  Military Interdepartmental Purchase Request\nNETC                  Naval Education and Training Command\nSPAWARSYSCOM          Space and Naval Warfare Systems Command\nSSC                   Space and Naval Warfare Systems Center\nUSARC                 U.S. Army Reserve Command\n\x0c\x0c               Department of Defense Office of Inspector General\nReport Number D-2006-052                                             February 23, 2006\n  (Project No. D2005-D000AS-0173)\n\n   DoD Organization Information Assurance Management of Information\n               Technology Goods and Services Acquired\n                   Through Interagency Agreements\n\n\n                                Executive Summary\n\nWho Should Read This Report and Why? Chief information officers within DoD and\nindividuals responsible for DoD Component information assurance should read this\nreport because it contains information on properly securing information technology\ngoods and services purchased through interagency agreements.\nBackground. Many Federal agencies, including DoD, are now making greater use of\ninteragency agreements to improve the Government\xe2\x80\x99s aggregate buying power and\nsimplify the procurement process. The information technology goods and services\npurchased through these agreements do not stand alone, but instead are part of the\nseamless web of communications networks, computers, software, databases, applications,\nsecurity services, and other capabilities used by DoD. As a result, information assurance\nis an important aspect of any DoD information system, no matter how the system\ncomponents or services are acquired, whether through traditional acquisitions or\ninteragency agreements.\n\nDoD Components are required to implement and maintain adequate security programs\nthat include the minimum information assurance controls outlined in DoD\nInstruction 8500.2, \xe2\x80\x9cInformation Assurance (IA) Implementation,\xe2\x80\x9d February 6, 2003, for\nall DoD information systems. Army, Navy, and Air Force chief information officers rely\non subordinate command chief information officers to follow this guidance for all\ninformation systems, including those acquired through interagency agreements.\nAdditionally, the National Institute of Standards and Technology Special Publication\n800-12, \xe2\x80\x9cAn Introduction to Computer Security,\xe2\x80\x9d October 1995, recommends monitoring\nprocedures for tracking user activity on DoD systems and networks.\nResults. Officials at four DoD organizations within the Army, Navy, and Air Force did\nnot fully implement comprehensive information assurance controls required to protect\nDoD information. Specifically, organization users were granted access to DoD systems\nprior to receiving information assurance training, user security clearances were not\nverified, and user activity reviews were not conducted. As a result, the integrity,\nconfidentiality, and availability of DoD operational data and information technology\nsystems cannot be guaranteed. See the Finding section of the report for the detailed\nrecommendations. The U.S. Army Reserve Command and Space and Naval Warfare\nSystems Command (including the Space and Naval Warfare Systems Center San Diego)\nmanagement controls for coordinating, documenting, and tracking information assurance\ntraining completion were not adequate to ensure that training was provided to all\npersonnel and the management controls for verifying user security clearances were not\n\x0cadequate to ensure that access was granted to the appropriate personnel. The Air and\nSpace Expeditionary Force Center management controls for monitoring user activity\nwere not adequate to detect, report, and document attempted or realized penetrations of\ninformation systems. Implementing the recommendations will correct the identified\nweaknesses.\n\nManagement Comments and Audit Response. The Commander, U.S. Army Reserve\nCommand responded to the findings in the draft of this report, but did not respond to the\nrecommendations. The U.S. Army Reserve Command should provide comments on the\nfinal report by April 24, 2006. The Commander, Space and Naval Warfare Systems\nCommand and the Commander, Space and Naval Warfare Systems Center San Diego\nconcurred with two of the recommendations and were not responsive to two of the\nrecommendations. We do not agree that there is a clear procedure for ensuring that\ninformation assurance awareness training is properly documented and tracked for all\npersonnel. The Commander, Air and Space Expeditionary Force Center concurred with\nthe recommendations; therefore no further comments are required. See the Finding\nsection of the report for a discussion of management comments and the Management\nComments section of the report for the complete text of the comments.\n\n\n\n\n                                            ii\n\x0cTable of Contents\n\nExecutive Summary                                         i\n\nBackground                                               1\n\nObjectives                                               2\n\nManagers\xe2\x80\x99 Internal Control Program                       2\n\nFinding\n     DoD Organization Information Assurance Management   4\n\nAppendixes\n     A. Scope and Methodology                            12\n     B. Prior Coverage                                   15\n     C. Report Distribution                              17\n\nManagement Comments\n     Department of the Army                              19\n     Department of the Navy                              22\n     Department of the Air Force                         27\n\x0cBackground\n           Interagency Agreements. Many Federal agencies are now making greater use of\n           interagency agreements to purchase commonly used goods1 and services,2\n           including information technology (IT), thereby improving the Government's\n           aggregate buying power and simplifying the procurement process. The IT goods\n           and services purchased through these agreements do not stand alone, but instead\n           are part of the DoD communications networks, computers, software, databases,\n           applications, and security services. Information assurance (IA) is an important\n           aspect of all DoD information systems, no matter how the system components or\n           services are acquired, whether through traditional acquisitions or interagency\n           agreements.\n\n           Information Assurance. DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA)\n           Implementation,\xe2\x80\x9d February 6, 2003, states that each DoD Component is\n           responsible for implementing and maintaining an adequate security program for\n           information and IT assets that includes an IA architecture, a supporting master\n           plan, clear assignment of organizational roles and responsibilities, and for\n           developing and managing a professional IA workforce.\n\n           Command Roles and Responsibilities. DoD Directive 8500.1, \xe2\x80\x9cInformation\n           Assurance (IA),\xe2\x80\x9d October 24, 2002, certified current as of November 21, 2003,\n           directs the Assistant Secretary of Defense for Networks and Information\n           Integration, as the DoD Chief Information Officer (CIO), to monitor and evaluate\n           IA by developing guidance and annually evaluating DoD Component readiness.\n           Further, DoD Directive 8500.1 requires DoD Component heads to develop and\n           implement Component-specific IA programs and provide IA awareness training\n           to all Component personnel. Army, Navy, and Air Force CIOs rely on\n           subordinate organization CIOs to follow this guidance for all information\n           systems, including those acquired through interagency agreements. As such, we\n           focused on IA policy and guidance implementation at several Army, Navy, and\n           Air Force organizations to assess the overall effectiveness of the DoD and Service\n           CIO management of IA controls over IT goods and services obtained through\n           interagency agreements. DoD Instruction 8500.2 establishes a baseline IA level\n           for all DoD information systems through the assignment of specific IA controls.\n\n           Information Assurance Controls. IA controls protect and defend the integrity,\n           confidentiality, and availability of information and information systems and\n           include user IA awareness training, security clearance documentation, and user\n           activity monitoring.\n\n           This report will focus on IA controls for four of the six interagency purchases\n           selected:\n\n                    \xe2\x80\xa2    U.S. Army Reserve Command (USARC) used Military\n                         Interdepartmental Purchase Request (MIPR) No. MIPR04CIBER037\n1\n    Goods are tangible products, such as computer hardware or software.\n2\n    Services are work performed by a contractor to update, implement, or change an already established\n     system, such as systems integration or administrative tasks.\n\n\n\n                                                       1\n\x0c               to pay the balance owed on an existing interagency agreement,\n               allowing the command to rebid for network services using traditional\n               acquisition processes.\n\n\n           \xe2\x80\xa2   Space and Naval Warfare Systems Command (SPAWARSYSCOM),\n               used MIPR No. N0003904IPFLD36 to purchase a systems integration\n               to ensure that communications and advanced command hardware meet\n               requirements.\n\n           \xe2\x80\xa2   Naval Education and Training Command (NETC) used MIPR\n               No. N6804504MPAC202 to fund the procurement and installation of\n               5,000 computer workstations, including physical connections, network\n               configuration, de-installation, on-site data wiping, and\n               disposal/decommissioning of existing computers.\n\n           \xe2\x80\xa2   Air and Space Expeditionary Force Center (AEFC) used MIPRs\n               No. DD44809N401228 and DD44809N401229 to purchase on-site\n               Continuity of Operations equipment and off-site backup equipment.\n\n\nObjectives\n    Our overall audit objective was to evaluate DoD and Service CIO processes for\n    managing IT goods and services obtained through interagency agreements and\n    determine whether those processes adequately addressed information security.\n    Specifically, we determined whether DoD and Service CIOs followed DoD and\n    Federal policies for proper certification and accreditation, risk assessment, and\n    user access permissions related to DoD information systems. We also reviewed\n    the managers\xe2\x80\x99 internal control program as it related to the overall objective. See\n    Appendix A for a discussion of the scope and methodology and Appendix B for\n    prior coverage related to the objectives.\n\n\nManagers\xe2\x80\x99 Internal Control Program\n    DoD Directive 5010.38, \xe2\x80\x9cManagement Control (MC) Program,\xe2\x80\x9d August 26, 1996,\n    and DoD Instruction 5010.40, \xe2\x80\x9cManagement Control (MC) Program Procedures,\xe2\x80\x9d\n    August 28, 1996, require DoD organizations to implement a comprehensive\n    system of management controls that provides reasonable assurance that programs\n    are operating as intended and to evaluate the adequacy of the controls.\n\n    Scope of the Review of the Managers\xe2\x80\x99 Internal Control Program. We\n    reviewed the adequacy of management controls over DoD Component IT\n    resources. Specifically, we reviewed USARC, SPAWARSYSCOM and Space\n    and Naval Warfare Systems Center (SSC) San Diego, NETC, and AEFC\n    management controls over IT funding and IA. In addition, we reviewed\n    management\xe2\x80\x99s self-evaluation applicable to those controls.\n\n\n\n                                         2\n\x0cAdequacy of Management Controls. We reviewed material management\ncontrol weaknesses for the four sites visited, as defined by DoD\nInstruction 5010.40. The USARC, SPAWARSYSCOM, and SSC San Diego\nmanagement controls for coordinating, documenting, and tracking IA training\ncompletion were not adequate to ensure that training was provided to all\npersonnel in accordance with DoD Directive 8570.1, \xe2\x80\x9cInformation Assurance\nTraining, Certification, and Workforce Management,\xe2\x80\x9d August 15, 2004. The\nUSARC, SPAWARSYSCOM, and SSC San Diego management controls for\nverifying user security clearances were not adequate to ensure that access was\ngranted to the appropriate personnel in accordance with the Office of\nManagement and Budget Circular A-130, \xe2\x80\x9cSecurity of Federal Automated\nInformation Resources,\xe2\x80\x9d November 28, 2000, and the Office of the Under\nSecretary of Defense Memorandum, \xe2\x80\x9cFacilitating Classified Visits within the\nDepartment of Defense,\xe2\x80\x9d April 1, 2005. The AEFC management controls for\nmonitoring user activity were not adequate to detect, report, and document\nattempted or realized penetrations of information systems because the procedures\nfor doing so were not documented. Implementing the recommendations will\ncorrect the identified weaknesses. A copy of the report will be provided to the\nsenior officials responsible for management controls at USARC,\nSPAWARSYSCOM, and AEFC. We did not identify any management control\nweaknesses at NETC.\n\nAdequacy of Management\xe2\x80\x99s Self-Evaluation. USARC officials did not identify\nIA as an assessable unit and, therefore, did not identify or report the management\ncontrol weaknesses identified by our audit. Program Executive Officer\nCommand, Control, Communications, Computers and Intelligence and Space\nofficials identified IA accreditation as part of an assessable unit but did not\nperform an evaluation because management did not complete the schedule in the\nmanagement control plan. AEFC officials identified IT as an assessable unit;\nhowever, during its evaluation they did not identify the management control\nweaknesses identified by this audit because the AEFC evaluation covered a much\nbroader area. NETC officials identified IA as an assessable unit and, like the\naudit team, identified no specific management control weakness related to the\nunit.\n\n\n\n\n                                    3\n\x0c           DoD Organization Information\n           Assurance Management\n           Officials at four DoD organizations within the Army, Navy, and Air Force\n           had not fully implemented the comprehensive IA controls that are required\n           to protect DoD information systems. Specifically:\n\n               \xe2\x80\xa2   organization users did not receive IA awareness training prior to\n                   being granted access to DoD systems,\n\n               \xe2\x80\xa2   user security clearances were not verified, and\n\n               \xe2\x80\xa2   user activity reviews were not conducted.\n\n           DoD organization officials did not fully implement IA controls because IA\n           roles and responsibilities were unclear and current operations were not\n           documented. As a result, the integrity, confidentiality, and availability of\n           DoD operational data and IT systems cannot be guaranteed.\nInformation Assurance Controls\n    Officials at four DoD organizations within the Army, Navy, and Air Force had\n    not fully implemented comprehensive IA controls that are required to protect\n    DoD information systems. DoD Directive 8500.1, \xe2\x80\x9cInformation Assurance (IA),\xe2\x80\x9d\n    October 24, 2002, certified current as of November 21, 2003, assigns\n    responsibility to DoD Component Heads for developing and implementing IA\n    programs focused on securing the integrity, confidentiality, and availability of\n    DoD information and information systems. Instead, DoD Components rely on\n    organization-level CIOs to develop and fully implement tailored, comprehensive\n    IA programs for all IT goods and services obtained, whether through traditional\n    acquisitions or interagency agreements.\n\n    Information Assurance Awareness Training. DoD Directive 8570.1\n    \xe2\x80\x9cInformation Assurance Training, Certification, and Workforce Management,\xe2\x80\x9d\n    August 15, 2004, requires that all authorized users, including contractors, receive\n    IA awareness training as a condition of access to any DoD system and, thereafter,\n    complete annual IA refresher training.\n\n    From May through August 2005, we included in our USARC selection for review\n    any Government or contract official with access to or responsibility for the\n    existing interagency agreement that was paid-in-full using MIPR\n    No. MIPR04CIBER037. Additionally, from June through August 2005, we\n    included in our SPAWARSYSCOM and SSC San Diego selection for review any\n    Government or contract official with access to or responsibility for the systems\n    integration using MIPR No. N0003904IPFLD36.\n    USARC and SPAWARSYSCOM, and SSC San Diego system users did not\n    receive IA awareness training prior to being granted access to the systems\n    because USARC, SPAWARSYSCOM, and SSC San Diego officials did not\n\n\n\n                                         4\n\x0ceffectively coordinate, document, and track IA training for all personnel and IT\nusers.\n\nUSARC officials could not provide completed training forms for 8 of the\n15 contractor personnel (53 percent) reviewed because USARC Headquarters and\nUSARC Enterprise Service Activity (ESA) personnel did not clearly establish\nwho was responsible for retaining IA training records and verifying completion.\nUSARC Headquarters and USARC ESA officials should identify and assign\nspecific roles and responsibilities for implementing the USARC IA awareness\ntraining program.\n\nSPAWARSYSCOM and SSC San Diego officials could not provide IA training\ndocuments for any of the seven contract personnel reviewed because officials did\nnot clearly establish responsibility for ensuring that IA training was completed by\nall personnel, including contractors. SPAWARSYSCOM and SSC San Diego\nofficials should identify and assign specific roles and responsibilities for\nimplementing the SPAWARSYSCOM and SSC San Diego IA awareness training\nprogram.\n\nUSARC, SPAWARSYSCOM, and SSC San Diego personnel should improve\ntheir IA awareness training programs for all employees and contractors so that all\nGovernment and contract personnel are aware of their security roles and\nresponsibilities and understand the potential threats to DoD systems before they\ngain access to information systems.\n\nUser Access Controls. DoD organization officials did not adequately verify user\nsecurity clearances or conduct user activity reviews.\n\n        User Security Clearances. The Office of Management and Budget\nCircular A-130, \xe2\x80\x9cSecurity of Federal Automated Information Resources,\xe2\x80\x9d\nNovember 28, 2000, requires that individual security clearances be verified prior\nto authorizing personnel access to IT systems, and periodically thereafter.\nFurther, the Office of the Under Secretary of Defense Memorandum, \xe2\x80\x9cFacilitating\nClassified Visits within the Department of Defense,\xe2\x80\x9d April 1, 2005, requires that\nthe Joint Personnel Adjudication System (JPAS) be used to verify personnel\nsecurity clearances for visitors requiring access to classified information.\n\nThe four DoD organizations reviewed had developed procedures for verifying the\nidentity, personnel security clearance, and need-to-know for all visitors prior to\ngiving authorized access to IT systems. However, two of the four organizations,\nUSARC and SPAWARSYSCOM, did not fully implement the procedures\ndeveloped and, as a result, were not adequately verifying user security clearances.\n        USARC Headquarters and USARC ESA officials did not clearly establish\nresponsibility for user security clearance verification. For example, USARC ESA\nand USARC Headquarters officials could not provide JPAS security verification\nfor 6 of the 15 contractors reviewed. USARC officials provided visit\nauthorizations for some users and JPAS verifications for others. Not only was\nthere confusion regarding which officials were responsible for verifying which\nusers, but also regarding the required documents and procedures to be used.\n\n\n\n                                     5\n\x0c            USARC officials should identify and assign specific roles and responsibilities for\n            verifying USARC user security clearances.\n\n                    Although SPAWARSYSCOM and SSC San Diego officials verified\n            contract agency facility clearances3 by confirming that each visit request was\n            necessary, they did not adequately verify that individual security clearances4 were\n            current, nor did they validate each using JPAS because the procedures were\n            unclear and not documented. This current process fully relies on the contract\n            agency to provide accurate information on individual contractors who may\n            change during the course of a project. SPAWARSYSCOM and SSC San Diego\n            officials should define specific responsibilities for verifying individual security\n            clearance information and use the JPAS to validate individual clearance\n            information.\n\n                    User Activity Reviews. DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance\n            (IA) Implementation,\xe2\x80\x9d February 6, 2003, requires that DoD Component IA\n            programs detect, report, and document attempted or realized penetrations of DoD\n            information systems and include appropriate countermeasures or corrective\n            actions. The National Institute of Standards and Technology Special\n            Publication 800-12, \xe2\x80\x9cAn Introduction to Computer Security,\xe2\x80\x9d October 1995,\n            recommends periodic monitoring of audit logs to identify unauthorized use.\n\n                    While three of the four DoD organizations reviewed had developed user\n            activity monitoring programs to protect their systems, AEFC did not fully\n            implement a user activity monitoring program because specific procedures were\n            not documented and a formal, recurring monitoring schedule had not been\n            developed. Instead, AEFC officials stated they informally review the audit logs\n            three times a week for suspicious activity. These procedures rely on infinite\n            permanency in personnel positions and consistent memory to periodically review\n            the logs. AEFC officials should develop standard written procedures for\n            monitoring user activity and establish a schedule for reviewing system audit logs\n            that will help protect organization information and IT systems. Without such a\n            monitoring system, the AEFC organization systems\xe2\x80\x99 first line of defense may be\n            weakened.\n\n\nConclusion\n            The integrity, confidentiality, and availability of DoD operational data and IT\n            systems cannot be guaranteed because IA awareness training programs were not\n            fully implemented and monitored, user security clearances were not adequately\n            verified, and user activity reviews were not conducted regularly. Without proper\n            training implementation and recording, the integrity of DoD systems cannot be\n            guaranteed because users may not be aware of, and strictly adhere to, the\n            standards of conduct necessary to protect the information. Additionally, if user\n3\n    Facility clearances are granted to an entire contractor facility, based on an investigation verifying that the\n     individuals who run, own, and manage the facility have been cleared.\n4\n    Individual security clearances are granted to individual personnel, based on background investigations and\n     personal interviews.\n\n\n\n                                                          6\n\x0c    security clearances are not adequately verified, then the confidentiality of secretly\n    disclosed or closely held organization information may be compromised because\n    the information may be released to individuals who are not properly cleared.\n    Furthermore, if user activity reviews are not conducted regularly, users may\n    improperly use organization systems to damage or impair the availability of\n    critical DoD information.\n\n    Previous DoD Inspector General (DoD IG) Report No. D2005-025, \xe2\x80\x9cDoD\n    FY 2004 Implementation of the Federal Information Security Management Act\n    for Information Technology Training and Awareness,\xe2\x80\x9d December 17, 2004,\n    identified weaknesses in IA training programs at the Defense Commissary\n    Agency, Defense Contract Management Agency, and Washington Headquarters\n    Services. The report concluded that the DoD CIO did not establish adequate\n    procedures for DoD Components to monitor IA awareness training. Our report\n    identifies similar weaknesses at USARC, SPAWARSYSCOM, and SSC San\n    Diego. Our repeated identification of systemic IA training weaknesses at various\n    DoD activities indicates that the DoD CIO and individual DoD Components\n    continue to ineffectively monitor and implement their IA training programs. No\n    additional recommendations to the Assistant Secretary of Defense for Networks\n    and Information Integration/DoD Chief Information Officer will be made at this\n    time because ongoing corrective actions for the recommendations made in DoD\n    IG Report No. D2005-025 should correct the identified problems.\n\n\nManagement Comments on the Findings and Audit\n Response\n    Management Comments. The Commander, U.S. Army Reserve Command\n    stated that the findings and recommendations in the draft report were incorrect or\n    were no longer valid concerns. The Commander, U.S. Army Reserve Command\n    stated that MIPR No. MIP04CIBER037 expired in September 2004 and a new\n    contract with a different contractor was in place at USARC as of July 2005.\n\n    Audit Response. USARC comments were not responsive. The audit team\n    focused on contract personnel that were retained by the new contract. DoD\n    information assurance policies and procedures apply to the new contract and\n    contractor.\n\n    Information Assurance Awareness Training. The Commander, U.S. Army\n    Reserve Command stated that USARC has an IA training program in place which\n    includes both initial IA training (provided in a Newcomer\xe2\x80\x99s Orientation) and\n    annual refresher training (provided via Web-based instruction). Further, the\n    Commander, U.S. Army Reserve Command stated that the USARC Information\n    Assurance Security Officer maintains training certificates for those who complete\n    IA training in a centralized database. Finally, the Contracting Officer\xe2\x80\x99s\n    Representative (COR) and the Contractor\xe2\x80\x99s Program Manager, who were not\n    interviewed during the site visit, maintain IA training records for contract\n    personnel.\n\n\n\n\n                                          7\n\x0c    Audit Response. USARC comments were not responsive. DoD Directive\n    8570.1 requires that IA training be tracked and documentation be maintained by\n    the IA Security Officer. However, the IA Security Officer had not tracked or\n    documented that the reviewed contractor personnel had received training.\n    Additionally, the IA Security Officer did not provide information or an agreement\n    that either the COR or the Contractor\xe2\x80\x99s Program Manager were designated with\n    the responsibility to track and document IA training. Therefore, USARC could\n    not provide assurance that contractor personnel received the required IA training\n    before accessing DoD information systems.\n\n    User Security Clearances. The Commander, U.S. Army Reserve Command\n    stated that USARC Headquarters G-2/6 Security Office was responsible for\n    verifying security clearance information and has used JPAS for more than 2 years.\n    Additionally, the Commander, U.S. Army Reserve Command stated that the\n    USARC G-2/6 Security Office assigned security managers within every\n    directorate, both Headquarters and the USARC ESA. Further, USARC stated that\n    the COR and the Contractor\xe2\x80\x99s Program Manager maintain contractors\xe2\x80\x99 security\n    clearance information.\n\n    Audit Response. USARC comments were not responsive. Neither USARC\n    Headquarters G-2/6 Security Office nor USARC ESA Security Managers could\n    provide documentation that verified contractors maintained the proper security\n    clearances. It is the responsibility of the IA security office to verify and maintain\n    documentation that contractors\xe2\x80\x99 security clearances are valid and updated.\n\n\nRecommendations, Management Comments, and Audit\n  Response\n    1. We recommend that the Commander, U.S. Army Reserve Command\n    direct the Chief Information Officer, U.S. Army Reserve Command to:\n\n            a. Conduct and document annual information assurance awareness\n    training, in accordance with DoD Directive 8570.1, \xe2\x80\x9cInformation Assurance\n    Training, Certification, and Workforce Management,\xe2\x80\x9d August 15, 2004, for\n    all U.S. Army Reserve Command employees and contractors.\n\n           b. Within 30 days of report issuance, establish clear procedures that\n    designate organization-specific roles and responsibilities for tracking\n    training for all employees and contractors.\n\n           c. Within 30 days of report issuance, establish clear procedures\n    designating specific roles and responsibilities for verifying individual security\n    clearances in accordance with the Office of Management and Budget\n    Circular A-130, \xe2\x80\x9cSecurity of Federal Automated Information Resources,\xe2\x80\x9d\n    November 28, 2000, for all U.S. Army Reserve Command employees and\n    contractors.\n\n    Management Comments. The Commander, U.S. Army Reserve Command did\n    not comment on the recommendations. We request the Commander, U.S. Army\n\n\n                                          8\n\x0cReserve Command provide comments to the final report recommendations by\nApril 24, 2006.\n\n2. We recommend that the Commander, Space and Naval Warfare Systems\nCommand direct the Chief Information Officer, Space and Naval Warfare\nSystems Command and the Chief Information Officer, Space and Naval\nWarfare Systems Center San Diego to:\n\n       a. Conduct and document annual information assurance awareness\ntraining, in accordance with DoD Directive 8570.1, \xe2\x80\x9cInformation Assurance\nTraining, Certification, and Workforce Management,\xe2\x80\x9d August 15, 2004, for\nall Space and Naval Warfare Systems Command employees and contractors.\n\n        Management Comments. The Commander, Space and Naval Warfare\nSystems Command concurred with Recommendation 2.a. The Commander, Space\nand Naval Warfare Systems Command stated that IA training is conducted and\ndocumented for all personnel to include contractors with computer system and\nnetwork access. The Commander, Space and Naval Warfare Systems Command\nworks within the Navy-Marine Corps Intranet network. IA training was\nconducted command-wide in FY 2005 and a manual process is in place to track\ncompletion of IA training. Individuals are responsible to provide completion\ncertificates to the Command IA Manager. Additionally, new personnel who\nrequire access to the Navy-Marine Corps Intranet must compete IA training and\nprovide a certificate prior to receiving access approval. SSC San Diego conducts\nand documents IA training for all military, Government, and contractor personnel\nwith computer system and network access. SSC San Diego has established a\nWeb-based training module that automatically updates and tracks training.\nCenter-wide IA training was completed on September 30, 2005.\n\n        Audit Response. Although the Commander, Space and Naval Warfare\nSystems Command concurred with the recommendation, the comments were not\nresponsive. SPAWARSYSCOM and SSC San Diego were unable to provide\ntraining documentation for the contractors reviewed that showed they had\nreceived the required IA training before accessing the DoD information system.\nThe SPAWARSYSCOM current system does not ensure that personnel who are\noutside the Navy-Marine Corps Intranet network will receive IA training as\nrequired by DoD Directive 8570.1.\n\n       b. Within 30 days of report issuance, establish clear procedures\ndesignating organization-specific roles and responsibilities for tracking\ntraining for all employees and contractors.\n\n        Management Comments. The Commander, Space and Naval Warfare\nSystems Command responded stating that SPAWARSYSCOM and SSC San\nDiego already have a clear procedure in place to track training for all personnel.\nInformation Assurance Managers for each system center within the claimancy are\nappointed in writing and are responsible for ensuring training of individuals with\naccess to their networks. SPAWARSYSCOM Claimancy IA staff including SSC\nSan Diego provides metrics to the Claimant IA Program Manager on a monthly\nbasis, and holds monthly and quarterly program reviews where they address\nprogress on key areas such as compliance with training.\n\n\n                                    9\n\x0c        Audit Response. SPAWARSYSCOM and SSC San Diego comments\nwere not responsive. Neither SPAWARSYSCOM nor SSC San Diego officials\ncould identify individual roles and responsibilities to track training of all\npersonnel including the contractors reviewed. Specifically, employees within the\nSPAWARSYSCOM Claimancy IA staff were unable to identify the individual\nresponsible for tracking the IA training of the seven contract personnel. These\ncontractors had access to DoD information systems before receiving the required\nIA training outlined in DoD Directive 8570.1. Therefore, SPAWARSYSCOM\nand SSC San Diego officials cannot be assured that personnel who have not\nreceived IA training before being granted access to DoD information systems are\naware of their security roles and responsibilities and understand the potential\nthreats to DoD systems.\n\n       c. Within 30 days of report issuance, establish clear procedures\ndesignating specific roles and responsibilities for verifying individual security\nclearances in accordance with the Office of Management and Budget\nCircular A-130, \xe2\x80\x9cSecurity of Federal Automated Information Resources,\xe2\x80\x9d\nNovember 28, 2000, for all Space and Naval Warfare Systems Command\nemployees and contractors.\n\n        d. Begin using the Joint Personnel Adjudication System immediately\nto validate individual security clearances in accordance with the Office of the\nUnder Secretary of Defense Memorandum, \xe2\x80\x9cFacilitating Classified Visits\nwithin the Department of Defense,\xe2\x80\x9d April 1, 2005.\n\nManagement Comments. SPAWARSYSCOM concurred with\nRecommendations 2.c. and 2.d. stating that SPAWARSYSCOM will develop a\npolicy directive covering SPAWARSYSCOM claimancy and supported Program\nExecutive Offices, which will establish procedures for verifying individual\npersonnel security clearances and identify specific roles and responsibilities.\nSPAWARSYSCOM estimates completion for Recommendation 2.c. by June 30,\n2006. Further, SPAWARSYSCOM and SSC San Diego are in the process of\nimplementing the JPAS for the verification of security clearances. Additionally, a\nSecurity Functional Change Lead Team will establish a new security policy\ndirective/manual that will comply with Office of the Under Secretary of Defense\nMemorandum and Chief of Naval Operations policy to ensure visitor and security\nclearance information is verified prior to authorizing access to\nSPAWARSYSCOM facilities and classified information. The estimated\ncompletion is April 1, 2006.\n\n3. We recommend that the Commander, Air and Space Expeditionary Force\nCenter direct the Systems Administrator, Air and Space Expeditionary\nForce Center to:\n\n     a. Deactivate inactive, suspended, and terminated accounts\nimmediately.\n\n          b. Review audit logs for failed and unauthorized user attempts to\nlog in.\n\n\n\n\n                                    10\n\x0c       c. Document consistent procedures that will help to implement the\ndeactivation of inactive, suspended, and terminated accounts and establish a\nschedule to review audit logs on no less than a weekly basis for failed and\nunauthorized user attempts to log in.\n\nManagement Comments. The Commander, Air and Space Expeditionary Force\nCenter concurred and ordered that all inactive, suspended, or terminated accounts\nbe deactivated immediately, effective January 13, 2006. Additionally, the Air\nForce response stated that the AEFC Commander ordered reviews of all system\naccess logs under the control of AEFC to be performed and annotated in a System\nInformation Assurance Log on a weekly basis, effective January 11, 2006.\nFinally, the Air Force response stated that the AEFC Commander ordered\ndevelopment of permanent policy and procedures that address monitoring user\nactivity and established a schedule for reviewing system access on a weekly basis.\nAccording to the Air Force response, policy documentation is due to the AEFC\nCommander for review and approval by February 15, 2006.\n\n\n\n\n                                    11\n\x0cAppendix A. Scope and Methodology\n      We met with DoD Office of Inspector General, Contract Management\n      officials to gather information regarding their project, \xe2\x80\x9cAudit of DoD\n      Purchases Through the General Service Administration,\xe2\x80\x9d (Project\n      No. D2004-D000CF-0238.000). From these meetings we obtained and\n      reviewed documentation and working papers to identify IT goods and services\n      worth at least $100,000 that were purchased through interagency agreements.\n      We selected the following eight MIPRs used by six DoD organizations for\n      review:\n\n      \xe2\x80\xa2   USARC used MIPR No. MIPR04CIBER037 to pay the balance\n          ($2,135,811) on an existing interagency agreement, allowing the\n          command to re-bid for Army Reserve Network services using traditional\n          acquisition processes.\n\n      \xe2\x80\xa2   SPAWARSYSCOM used MIPR No. N0003904IPFLD36 to purchase a\n          $1,699,021 systems integration to ensure that communications and\n          advanced command hardware meet requirements.\n\n      \xe2\x80\xa2   NETC used MIPR No. N6804504MPAC202 to fund an $8,000,000\n          procurement and installation for 5,000 computer workstations at 33 sites,\n          including physical connections, network configuration, de-installation,\n          on-site data wiping, and disposal/decommissioning.\n\n      \xe2\x80\xa2   AEFC used MIPRs No. DD44809N401228 and DD44809N401229 to\n          purchase on-site Continuity of Operations equipment for $40,143 and\n          off-site backup equipment for $172,246.\n\n      \xe2\x80\xa2   Commander, Naval Reserve Forces Command used MIPR\n          No. N0007204MP34275 to procure Defense Message System equipment\n          valued at $706,324.\n\n      \xe2\x80\xa2   U.S. Southern Command used MIPRs No. MIPR4F21K60065 and\n          MIPR4M21T60129 to purchase software integration and technical\n          services totaling $7,500,000 for the Logistics Command and Control\n          System in Colombia. However, we did not visit U.S. Southern Command\n          in Miami, Florida, because all documents, hardware, and software related\n          to MIPRs No. MIPR4F21K60065 and MIPR4M21T60129 at the U.S.\n          Southern Command were controlled by the Colombian government, and\n          therefore outside of our scope.\n\n   We met with the DoD and Service CIOs to gather information regarding their\n   management of interagency agreements, specifically our selected purchases, and\n   identify the implemented IA requirements for each Service. Additionally, we met\n   with Security officials from the DoD Office of Inspector General to identify\n   information security procedures.\n\n   We reviewed Federal and DoD policy to identify the procedures established for\n   DoD Component IA programs, including IA training, user access, certification\n\n\n                                      12\n\x0cand accreditation, and risk assessment. Specifically, we reviewed DoD Directive\n8500.1, \xe2\x80\x9cInformation Assurance (IA),\xe2\x80\x9d October 24, 2002, certified current as of\nNovember 21, 2003, to gather overall IA requirement information and determine\nDoD Component heads\xe2\x80\x99 roles and responsibilities for IA programs.\n\nInformation Assurance Training. We reviewed DoD Directive 8570.1,\n\xe2\x80\x9cInformation Assurance Training, Certification, and Workforce Management,\xe2\x80\x9d\nAugust 15, 2004, to identify IA training requirements for DoD employees and\ncontractors.\n\nUser Security Clearance Verification. We reviewed the Office of Management\nand Budget Circular A-130, \xe2\x80\x9cSecurity of Federal Automated Information\nResources,\xe2\x80\x9d November 28, 2000, to determine existing requirements for verifying\nindividual security clearances prior to providing authorized access to DoD\nsystems. Additionally, we reviewed the Office of the Under Secretary of Defense\nMemorandum, \xe2\x80\x9cFacilitating Classified Visits within the Department of Defense,\xe2\x80\x9d\nApril 1, 2005, which better defines the required security clearance verification\nsystem to be used.\n\nUser Activity Monitoring. We reviewed DoD Instruction 8500.2, \xe2\x80\x9cInformation\nAssurance (IA) Implementation,\xe2\x80\x9d February 6, 2003, and the National Institute of\nStandards and Technology Special Publication 800-12, \xe2\x80\x9cAn Introduction to\nComputer Security,\xe2\x80\x9d October 1995, to determine the recommended monitoring\nprocedures for tracking user activity on DoD systems and networks.\n\nWe conducted interviews with IA, system administration, security, and\ncertification and accreditation officials at the following sites to gather detailed\ninformation on the IA procedures each DoD Component developed and\nimplemented, related to the six selected MIPRs:\n\n    \xe2\x80\xa2   USARC in Fort McPherson, Georgia, and USARC ESA in\n        Peachtree City, Georgia;\n\n    \xe2\x80\xa2   SPAWARSYSCOM Headquarters and SPAWAR Systems Center in\n        San Diego, California;\n\n    \xe2\x80\xa2   NETC Headquarters, Naval Air Station Pensacola and the Center for\n        Naval Leadership, Naval Base Corry Station in Pensacola, Florida; Aegis\n        Training and Readiness Center, Naval Surface Warfare Center Dahlgren\n        Division in Dahlgren, Virginia; Navy-Marine Corps Intelligence Training\n        Center in Virginia Beach, Virginia; and the Center for Naval Aviation\n        Technical Training Unit, Naval Air Station Oceana in Virginia Beach,\n        Virginia;\n\n    \xe2\x80\xa2   AEFC at Langley Air Force Base in Virginia; and\n\n    \xe2\x80\xa2   Commander, Naval Reserve Forces Command in New Orleans,\n        Louisiana.\n\nAdditionally, we identified some conditions during our site visit at the\nCommander, Naval Reserve Forces Command but, due to the condition of the\n\n\n                                      13\n\x0cNew Orleans area after Hurricane Katrina, no recommendations will be\nforthcoming.\n\nDuring our interviews with the identified officials, we reviewed system security\nauthorization agreements; training completion documents; security clearance\nverification forms; computer audit logs; and standard operating procedures related\nto IA training, user security clearances, and user activity monitoring to determine\nwhether DoD Components properly followed Federal and DoD guidance.\nAdditionally, we used judgmental samples of personnel involved with the IT\ngoods or services purchased to test whether each Component\xe2\x80\x99s user access\nprocedures were in accordance with applicable laws.\n\nWe performed this audit from April 2005 through December 2005 in accordance\nwith generally accepted government auditing standards.\n\nUse of Computer-Processed Data. We relied on computer-processed event or\naudit logs generated by the DoD Component information systems. We reviewed\nthe information in the event or audit logs for compliance with Federal and DoD\nguidance, but we did not assess the validity or accuracy of the systems used by\nthe DoD Components to generate the data.\n\n Government Accountability Office High-Risk Area. The Government\nAccountability Office (GAO) has identified several high-risk areas in DoD. This\nreport provides coverage of the Protecting the Federal Government\xe2\x80\x99s Information\nSystems and the Nation\xe2\x80\x99s Critical Infrastructures high-risk areas.\n\n\n\n\n                                    14\n\x0cAppendix B. Prior Coverage\n    During the last 5 years, GAO, DoD IG, the Army Audit Agency, the Naval Audit\n    Service, and the Air Force Audit Agency have issued 12 reports discussing\n    information assurance. Unrestricted GAO reports can be accessed over the\n    Internet at http://www.gao.gov. Unrestricted DoD IG reports can be accessed at\n    http://www.dodig.mil/audit/reports.\n\n\nGAO\n    GAO Report No. GAO-05-362, \xe2\x80\x9cImproving Oversight of Access to Federal\n    Systems and Data by Contractors Can Reduce Risk,\xe2\x80\x9d April 22, 2005\n\n    GAO Report No. GAO-01-307, \xe2\x80\x9cProgress and Challenges to an Effective\n    Defense-wide Information Assurance Program,\xe2\x80\x9d March 30, 2001\n\n\nDoD IG\n    DoD IG Report No. D-2005-096, \xe2\x80\x9cDoD Purchases Made Through the General\n    Services Administration,\xe2\x80\x9d July 29, 2005\n\n    DoD IG Report No. D-2005-094, \xe2\x80\x9cProposed DoD Information Assurance\n    Certification and Accreditation Process,\xe2\x80\x9d July 21, 2005\n\n    DoD IG Report No. D-2005-054, \xe2\x80\x9cDoD Information Technology Security\n    Certification and Accreditation Process,\xe2\x80\x9d April 28, 2005\n\n    DoD IG Report No. D-2005-025, \xe2\x80\x9cDoD FY 2004 Implementation of the Federal\n    Information Security Management Act for Information Technology Training and\n    Awareness,\xe2\x80\x9d December 17, 2004\n\n\nArmy Audit Agency\n    Army Audit Agency Report No. A2004-0216-FFB, \xe2\x80\x9cInformation Systems\n    Security Material Weakness,\xe2\x80\x9d April 8, 2004\n\n\n\n\n                                      15\n\x0cNaval Audit Service\n    Naval Audit Service Report No. N2004-0072, \xe2\x80\x9cOperational Controls at Naval Air\n    Systems Command Headquarters and Naval Air Warfare Centers,\xe2\x80\x9d August 16,\n    2004\n\n    Naval Audit Service Report No. N2004-0063, \xe2\x80\x9cOperational Controls at Naval\n    Aviation Depots,\xe2\x80\x9d July 9, 2004\n\n    Naval Audit Service Report No. N2004-008, \xe2\x80\x9cInformation Technology\n    Certification and Accreditation Process,\xe2\x80\x9d October 28, 2003\n\n\nAir Force Audit Agency\n    Air Force Audit Agency Report No. F2005-0002-FB4000, \xe2\x80\x9cInformation\n    Assurance Position Certification Training for Air Force Network Professionals,\xe2\x80\x9d\n    March 21, 2005\n\n    Air Force Audit Agency Report No. F2002-0003-C06600, \xe2\x80\x9cCertification and\n    Accreditation of Air Force Systems,\xe2\x80\x9d April 22, 2002\n\n\n\n\n                                       16\n\x0c Appendix C. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\nUnder Secretary of Defense for Personnel and Readiness\nAssistant Secretary of Defense for Networks and Information Integration/DoD Chief\n   Information Officer\nChief Information Officer, Office of the Secretary of Defense\nDirector, Program Analysis and Evaluation\nDirector, Defense Procurement and Acquisition Policy\n\nJoint Staff\nDirector, Joint Staff\nChief Information Officer, Joint Staff\n\nDepartment of the Army\nAssistant Secretary of the Army for Financial Management and Comptroller\nAuditor General, Department of the Army\nChief Information Officer, Department of the Army\nCommander, U.S. Army Reserve Command\n\nDepartment of the Navy\nAssistant Secretary of the Navy for Manpower and Reserve Affairs\nNaval Inspector General\nAuditor General, Department of the Navy\nChief Information Officer, Department of the Navy\nCommander, Space and Naval Warfare Systems Command\nCommander, Space and Naval Warfare Systems Center San Diego\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force for Financial Management and Comptroller\nAuditor General, Department of the Air Force\nChief Information Officer, Department of the Air Force\nCommander, Air and Space Expeditionary Force Center\n\n\n\n\n                                         17\n\x0cUnified Commands\nChief Information Officer, U.S. Northern Command\nChief Information Officer, U.S. Southern Command\nChief Information Officer, U.S. Joint Forces Command\nChief Information Officer, U.S. Pacific Command\nChief Information Officer, U.S. European Command\nChief Information Officer, U.S. Central Command\nChief Information Officer, U.S. Transportation Command\nChief Information Officer, U.S. Special Operations Command\nChief Information Officer, U.S. Strategic Command\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency and Financial Management, Committee\n  on Government Reform\nHouse Subcommittee on National Security, Emerging Threats, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology, Information Policy, Intergovernmental Relations,\n  and the Census, Committee on Government Reform\n\n\n\n\n                                        18\n\x0cDepartment of the Army Comments\n\n\n\n\n                    19\n\x0c20\n\x0c21\n\x0cDepartment of the Navy Comments\n\n\n\n\n                    22\n\x0c23\n\x0c24\n\x0c25\n\x0c26\n\x0cDepartment of the Air Force Comments\n\n\n\n\n                     27\n\x0c28\n\x0cTeam Members\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nAcquisitions and Contract Management prepared this report. Personnel of the\nDepartment of Defense Office of Inspector General who contributed to the report\nare listed below.\n\nMary L. Ugone\nRichard B. Jolliffe\nJacqueline Wicecarver\nSean Davis\nTherese Kince\nDeirdre Beal\nBenita Holliman\nKelly Lesly\nMandie Marr\nMarcia Hart\nKarma Cleveland\nMatt Price\nMeredith DePalma\nDana Fink\nJacqueline Pugh\nMeredith H. Johnson\n\x0c"